Michael Ströder wrote:
If you're a high volume website, the CA's OCSP responser is more likely to melt on your website than on others. You would have an interest in mitigating that. If you supported stapling, your customers would be able to visit your site even if the responder melts (because they don't have to hit the responder themselves). This means that those who are more likely to cause the problem also suffer most from it.Nelson Bolyard wrote:OCSP stapling allows a TLS server to send a copy of a recent OCSP response (issued by the issuer of that server's cert) along with the cert in the TLS handshake, thereby saving the client extra connections and extra round trips. It reduces load on OCSP responders.Ah, ok. So the SSL-enabled server asks the OCSP responder of the server cert issuer. Hmm, let's see if this will ever be widely used. I have some doubts...
bob
Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
